Mastering TCP: Understanding All Connection States and Their Transitions

TCP State Inspection Commands

netstat -nat

– displays the number of sockets in each TCP state. lsof -i:PORT – shows which processes have opened a specific port. sar -n SOCK – reports the number of TCP connections created. tcpdump -i any tcp port PORT – captures traffic on a given TCP port.

Network Testing Tools

ping HOST

– tests reachability, latency, jitter and packet loss. traceroute HOST – traces the route to a destination. pathping HOST – combines ping and traceroute information. mtr HOST – merges ping, DNS lookup and traceroute. nslookup DOMAIN – resolves DNS records.

TCP State Overview

LISTEN – server socket waiting for incoming connection requests.

SYN‑SENT – client has sent a SYN and is awaiting a matching response.

SYN‑RECEIVED – server has received a SYN, sent SYN‑ACK and is waiting for the final ACK.

ESTABLISHED – both ends have completed the three‑way handshake; data can be exchanged.

FIN‑WAIT‑1 – active closer has sent FIN and is waiting for ACK.

FIN‑WAIT‑2 – active closer has received ACK for its FIN and is waiting for the remote FIN.

CLOSE‑WAIT – passive closer has received FIN, sent ACK and is waiting for the application to close.

CLOSING – both sides have sent FINs and are waiting for the final ACK.

LAST‑ACK – passive closer has sent its FIN and is waiting for the final ACK.

TIME‑WAIT – socket remains to ensure the remote side received the final ACK and to discard delayed packets.

CLOSED – no connection state; socket is free for reuse.

State Transition Diagrams

Client normal flow:

CLOSED → SYN‑SENT → ESTABLISHED → FIN‑WAIT‑1 → FIN‑WAIT‑2 → TIME‑WAIT → CLOSED

Server normal flow:

CLOSED → LISTEN → SYN‑RECEIVED → ESTABLISHED → CLOSE‑WAIT → LAST‑ACK → CLOSED

Three‑Way Handshake

Client sends SYN (state SYN‑SENT ).

Server replies with SYN‑ACK (state SYN‑RECEIVED ).

Client acknowledges with ACK; both sides enter ESTABLISHED .

Example capture:

tcpdump -i any tcp port 9502

Four‑Way Termination

Active closer sends FIN (state FIN‑WAIT‑1 ).

Passive side ACKs the FIN (state CLOSE‑WAIT ).

Passive side sends its own FIN (state LAST‑ACK ).

Active side ACKs the second FIN and enters TIME‑WAIT , then CLOSED .

Simultaneous Open and Close

When both ends initiate a connection or termination at the same time, the state machine still converges after four packet exchanges, though many BSD implementations do not support simultaneous open.

TCP Flags

SYN – initiates a connection.

FIN – terminates a connection.

ACK – acknowledges received data.

PSH – pushes data to the receiving application.

RST – resets a connection.

Handling Half‑Open Connections

If a client crashes without sending a FIN, the server may retain sockets in ESTABLISHED or CLOSE‑WAIT. Detect such dead peers with keep‑alive probes or application‑level heartbeats.

Keep‑Alive Mechanisms

Application‑level heartbeat thread that periodically sends a small packet and expects an ACK.

Enable kernel TCP keep‑alive, which sends probes after an idle period.

Typical Linux sysctl settings:

net.ipv4.tcp_keepalive_time = 60
net.ipv4.tcp_keepalive_intvl = 20
net.ipv4.tcp_keepalive_probes = 3

Parameters to mitigate excessive TIME‑WAIT sockets:

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30

Common errno Values

22 – Invalid argument (e.g., malformed IP address).

101 – Network unreachable.

111 – Connection refused.

115 – Operation now in progress (non‑blocking socket awaiting response).